- Researchers say criminals hide malware in images hosted on reputable websites
- At least two different groups were seen deploying two types of info thieves
- The campaigns exploit an old Excel bug, HP Wolf Security claims
Hackers hide malware in website images to go unnoticed and compromise as many computers as possible, experts have warned.
A new Threat Insights report from HP Wolf Security, based on data from millions of endpoints, claims that there are currently large campaigns spreading VIP Keylogger and 0bj3ctivityStealer. Since the same techniques and loaders are used in both, the researchers suspect that two groups are using the same malware sets to deliver different payloads.
“In both campaigns, attackers hid the same malicious code in images on file hosting sites such as archive.org, as well as using the same loader to install the final payload,” the researchers explained. “Such techniques help attackers evade detection by making image files appear benign when downloaded from well-known websites, bypassing network security such as web proxies that rely on reputation.”
Throwing GenAI into the mix
The attack starts with a phishing email pretending to be an invoice or purchase order. The attachment is usually an Excel document designed to exploit CVE-2017-11882, an old bug in the equation editor, to download a VBScript file.
Alex Holland, Principal Threat Researcher at HP Security Lab, said that phishing kits, paired with Generative AI (GenAI) tools, have significantly lowered the barrier to entry, exacerbating the ever-present risk of malware: “This allows groups to concentrate themselves to cheat their targets and choose the best payload for the job – for example by targeting players with malicious cheat stocks.”
When we discussed GenAI, the researchers said that malicious actors use it to create malicious HTML documents. They also identified an XWorm remote access trojan (RAT) campaign initiated by HTML smuggling, which contained malicious code that downloads and runs the malware.
The loader was clearly written by an AI, they added, as it included a line-by-line description and the design of the HTML page.
Both VIP Keylogger and 0bj3ctivityStealer are infostealer malware that capture and exfiltrate sensitive information such as passwords, cryptocurrency wallet information, sensitive files, and more.
